b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\n  Subject:\n\n\n\n\n        AUDIT OF INFORMATION SYSTEMS\n   GENERAL AND APPLICATION CONTROLS AT THE\n   NATIONAL ASSOCIATION OF LETTER CARRIERS\n             HEALTH BENEFIT PLAN\n\n\n                                            Report No. 1B-32-00-13-037\n                                                                    May 6, 2014\n                                            Date:\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                            CONTRACT 1067\n                   NATIONAL ASSOCIATION OF LETTER CARRIERS\n                                            HEALTH BENEFIT PLAN\n                                                      PLAN CODE 32\n                                                ASHBURN, VIRGINIA\n\n\n\n                                            Report No. 1B-32-00-13-037\n\n                                            Date:                   May 6, 2014\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                        CONTRACT 1067\n             NATIONAL ASSOCIATION OF LETTER CARRIERS\n                                HEALTH BENEFIT PLAN\n                                       PLAN CODE 32\n                                  ASHBURN, VIRGINIA\n\n\n\n                              Report No. 1B-32-00-13-037\n                                                May 6, 2014\n                              Date:\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at the National Association of Letter Carriers Health Benefit Plan (NALC\nHBP or Plan).\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for NALC HBP, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nNALC HBP has not developed an adequate security management program. NALC HBP has not\ndeveloped IT security policies and procedures, implemented a formal security awareness training\nprogram or a specialized training program, and has not established a formal risk management\nprogram.\n\nAccess Controls\nNALC HBP has not implemented adequate physical access controls surrounding its facilities and\ndata center. Additionally, we documented several opportunities for improvement related to\n\n                                                 i\n\x0cNALC HBP\xe2\x80\x99s logical access controls related to password policy, segregation of duties, and\nmonitoring user accounts.\n\nNetwork Security\nOur review of the network security controls indicated that the NALC HBP has implemented and\nutilizes a firewall to protect its network environment. However, we noted several areas of\nconcern:\n\xe2\x80\xa2   Formal policies and procedures have not been implemented for:\n    o Security Incident Response,\n    o Vulnerability Management and Remediation,\n    o Patch Management, and\n    o Firewall Configuration Management;\n\xe2\x80\xa2   Vulnerability scan results indicate that critical patches, service packs, and hot fixes are not\n    implemented in a timely manner; and\n\xe2\x80\xa2   The Plan does not have controls to detect and prevent unauthorized devices from connecting\n    to the internal network.\n\nConfiguration Management\nNALC HBP has not developed formal policies and procedures that provide guidance to ensure\nthat system software is appropriately configured and updated. NALC HBP has not documented\nformal baseline configurations for all of the utilized operating platforms and, as a result, is\nunable to routinely audit its network servers\xe2\x80\x99 configuration to any approved configuration\nsettings. NALC HBP has also not established a formal systems development lifecycle\nmethodology. NALC HBP has documented corporate password standards, but we discovered\nmany instances where information systems did not follow the established guidelines.\n\nContingency Planning\nNALC HBP has not conducted an adequate business impact analysis. Currently, NALC HBP\ndoes not have an alternate location to recover its computing environment in the event of a\ndisaster at its primary data center. NALC HBP has also not established an alternate work site for\nits employees to allow for critical business operations to continue if the main facility is not\naccessible. The backup power generator at the NALC HBP facility does not have the capacity to\nsustain the data center in the event of a prolonged power outage. NALC HBP\xe2\x80\x99s contingency\nplan does not address many of the suggested elements of relevant guidance, and the plan is not\ntested routinely. NALC HBP also does not routinely perform emergency response training\nrelated to business continuity and disaster recovery for its employees with responsibilities in\nthese areas.\n\nClaims Adjudication\nNALC HBP has implemented many controls in its claims process to ensure that FEHBP claims\nare processed accurately with regard to enrollment and debarment. However, we noted\nsignificant weaknesses\n         NALC HBP informed the OIG that Cigna, its pricing vendor, may have edits in place to\nprevent or identify these issues, but to date has not provided sufficient evidence to support this\n\n                                                 ii\n\x0cclaim. As a result, we are issuing this report with the assumption that no additional controls\nexist.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nThe Plan developed a series of privacy policies and procedures that address requirements of the\nHIPAA privacy rule. However, not all of the elements of the HIPAA security rule have been\nimplemented.\n\n\n\n\n                                                iii\n\x0c                                                                Contents\n                                                                                                                                             Page\nExecutive Summary ......................................................................................................................... i\nI. Introduction ................................................................................................................................ 1\n   Background ................................................................................................................................. 1\n   Objectives ................................................................................................................................... 1\n   Scope ........................................................................................................................................... 2\n   Methodology ............................................................................................................................... 2\n   Compliance with Laws and Regulations..................................................................................... 3\nII. Audit Findings and Recommendations ...................................................................................... 4\n   A. Security Management ............................................................................................................ 4\n   B. Access Controls ..................................................................................................................... 8\n   C. Network Security ................................................................................................................. 16\n   D. Configuration Management ................................................................................................. 22\n   E. Contingency Planning .......................................................................................................... 25\n   F. Claims Adjudication ............................................................................................................ 31\n   G. Health Insurance Portability and Accountability Act .......................................................... 35\nIII. Major Contributors to This Report ......................................................................................... 36\n     Appendix I:  Flash Audit Alert \xe2\x80\x93 Information Security at the National Association of Letter\n                  Carriers Health Benefit Plan, issued July 29, 2013.\n     Appendix II: National Association of Letter Carriers Health Benefit Plan\xe2\x80\x99s January 31, 2014\n                  response to the draft audit report issued December 2, 2013.\n\x0c                                      I. Introduction\n\nThis final report details the findings, conclusions, and recommendations resulting from our audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims by the National Association of\nLetter Carriers Health Benefit Plan (NALC HBP or Plan).\n\nThe audit was conducted pursuant to FEHBP contract CS 1067; 5 U.S.C. Chapter 89; and 5 Code\nof Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office\nof Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our second audit of NALC HBP\xe2\x80\x99s general and application controls. The first audit was\nconducted in 2004 and all recommendations from that audit were closed prior to the start of the\ncurrent audit. We also reviewed NALC HBP\xe2\x80\x99s compliance with the Health Insurance Portability\nand Accountability Act (HIPAA).\n\nDuring the field work phase of this audit, we issued a flash audit alert to bring immediate\nattention to serious concerns we had regarding NALC HBP\xe2\x80\x99s ability to adequately secure\nsensitive Federal data. The alert included two recommendations that we believed were urgent in\nnature, and advised NALC HBP to begin immediately taking steps to address the weaknesses.\n\nAll NALC HBP personnel that worked with the auditors were helpful and open to ideas and\nsuggestions. They viewed the audit as an opportunity to examine practices and to make changes\nor improvements as necessary. Their positive attitude and helpfulness throughout the audit was\ngreatly appreciated. We would also like to commend the Plan for taking prompt corrective\nactions on many of the recommendations within this report.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in NALC HBP\xe2\x80\x99s IT environment. We\naccomplished these objectives by reviewing the following areas:\n\xe2\x80\xa2   Security management;\n\xe2\x80\xa2   Access controls;\n\xe2\x80\xa2   Configuration management;\n\xe2\x80\xa2   Segregation of duties;\n\n                                                 1\n\x0c\xe2\x80\xa2   Contingency planning;\n\xe2\x80\xa2   Application controls specific to NALC HBP\xe2\x80\x99s claims processing system; and\n\xe2\x80\xa2   HIPAA compliance.\n\nScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, we\nobtained an understanding of NALC HBP\xe2\x80\x99s internal controls through interviews and\nobservations, as well as inspection of various documents, including information technology and\nother related organizational policies and procedures. This understanding of NALC HBP\xe2\x80\x99s\ninternal controls was used in planning the audit by determining the extent of compliance testing\nand other auditing procedures necessary to verify that the internal controls were properly\ndesigned, placed in operation, and effective.\n\nThe scope of this audit centered on the information systems used by NALC HBP to process\nmedical insurance claims for FEHBP members, with a primary focus on the claims adjudication\napplications. NALC HBP claims are priced through a third party, Cigna, before they are\nprocessed by             the Plan\xe2\x80\x99s claims adjudication system. The business processes reviewed\nare primarily located in NALC HBP\xe2\x80\x99s Ashburn, Virginia facility.\n\nThe on-site portion of this audit was performed from June through July of 2013. We completed\nadditional audit work before and after the on-site visit at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this report are based on the status of\ninformation system general and application controls in place at NALC HBP as of August 2013.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nNALC HBP. Due to time constraints, we did not verify the reliability of the data used to\ncomplete some of our audit steps, but we determined that it was adequate to achieve our audit\nobjectives. However, when our objective was to assess computer-generated data, we completed\naudit steps necessary to obtain evidence that the data was valid and reliable.\n\nMethodology\nIn conducting this review we:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\xe2\x80\xa2   Reviewed NALC HBP\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2   Performed a risk assessment of NALC HBP\xe2\x80\x99s information systems environment and\n    applications, and prepared an audit program based on the assessment and the Government\n    Accountability Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual\n    (FISCAM); and\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, we used judgmental sampling in\n    completing our compliance testing.\n\n\n\n\n                                                2\n\x0cVarious laws, regulations, and industry standards were used as a guide to evaluating NALC\nHBP\xe2\x80\x99s control structure. These criteria include, but are not limited to, the following\npublications:\n\xe2\x80\xa2   Title 48 of the Code of Federal Regulations;\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s FISCAM;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;\n\xe2\x80\xa2   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-50, Building an Information Technology Security Awareness and Training\n    Program;\n\xe2\x80\xa2   NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems\n    and Organizations;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether NALC HBP\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nNALC HBP was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit\nFindings and Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                     II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of NALC HBP\xe2\x80\x99s overall IT security controls. We evaluated\n  NALC HBP\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related\n  responsibility, and monitor the effectiveness of various system-related controls. We also\n  reviewed NALC HBP\xe2\x80\x99s human resources policies and procedures related to hiring, training,\n  transferring, and terminating employees.\n\n  The sections below outline our concerns with NALC HBP\xe2\x80\x99s security management program.\n\n  1. Entity-Wide IT Policies and Procedures\n    NALC HBP has not developed comprehensive IT security policies and procedures. IT\n    policies and procedures are the critical foundation of a strong information security program,\n    as these documents provide guidance on how IT security should be managed at a specific\n    organization.\n\n    FISCAM states that \xe2\x80\x9cEntities should have a written plan that clearly describes the entity\xe2\x80\x99s\n    security program, and policies and procedures that support it. The plan and related policies\n    should cover all major systems and facilities and outline the duties of those who are\n    responsible for overseeing security (the security management function) as well as those who\n    own, use, or rely on the entity\'s computer resources. . . . To be effective, the policies and plan\n    should be maintained to reflect current conditions. They should be periodically reviewed and,\n    if appropriate, updated and reissued to reflect changes in risk due to factors such as changes in\n    agency mission or the types and configuration of computer resources in use.\xe2\x80\x9d\n\n    Without well-defined IT security policies, security controls may be inadequate;\n    responsibilities may be unclear, misunderstood, and improperly implemented; and controls\n    may be inconsistently applied.\n\n    Recommendation 1 (from Flash Audit Alert issued July 29, 2013)\n    We recommend that NALC HBP develop comprehensive IT security policies and procedures.\n    At a minimum, NALC HBP should implement policies and procedures related to the\n    following topics:\n\n    \xe2\x80\xa2   Risk Assessments                               \xe2\x80\xa2   Password Requirements\n    \xe2\x80\xa2   Contingency Planning and Testing               \xe2\x80\xa2   Vulnerability Scanning\n    \xe2\x80\xa2   Security Awareness Training                    \xe2\x80\xa2   Server Configuration Management,\n    \xe2\x80\xa2   Employee Termination                               Baseline Configurations, and Auditing\n    \xe2\x80\xa2   Physical Access Controls                           Server Configuration\n    \xe2\x80\xa2   Auditing/Monitoring User and                   \xe2\x80\xa2   System Development Lifecycle\n        Administrator Activity                         \xe2\x80\xa2   Firewall Management\n    \xe2\x80\xa2   Appropriate Use of Software                    \xe2\x80\xa2   Web and E-mail Filtering\n\n                                                   4\n\x0c  \xe2\x80\xa2   Segregation of Duties                        \xe2\x80\xa2   Wireless Network Access\n  \xe2\x80\xa2   Security Incident Response                   \xe2\x80\xa2   Control of Removable Media\n\n  NALC HBP Response:\n  \xe2\x80\x9cThe NALC HBP has developed and adopted the attached Information Security Policies\n  and Procedures\xe2\x80\x9d\n\n  OIG Reply:\n  The evidence provided by NALC HBP in response to the draft audit report indicates that the\n  Plan has developed detailed policies and procedures for its IT security program; no further\n  action is required.\n\n  Recommendation 2\n  We recommend that NALC HBP implement a process to routinely review and update its IT\n  security policies.\n\n  NALC HBP Response:\n  \xe2\x80\x9cThe NALC HBP has established an Information Security Management Committee.\n\n  The committee members are: NALC HBP Director, the NALC HBP Administrator, the\n  Human Resources Manager, the Facilities Manager, the Information Systems Manager,\n  the Claims Superintendent, the HIPAA Security Officer and the HIPAA Privacy Official.\n\n  The committee, in conjunction with members of the Information Systems Department staff\n  and representatives from the Administrative and Claims departments, have been integral in\n  formulating the newly established policies. The committee will meet annually prior to the\n  scheduled risk assessment to review and update IT security policies.\n\n  Policies will be addressed accordingly if circumstances dictate a review and update prior to\n  the scheduled event.\n\n  The NALC HBP policy is now formally documented in IS-01 Information Security\n  Program Policy on Policies and will be effective on February 1, 2014.\xe2\x80\x9d\n\n  OIG Reply:\n  The evidence provided by NALC HBP in response to the draft audit report indicates that the\n  Plan has implemented a process to routinely review and update its IT security policies; no\n  further action is required.\n\n2. Security Awareness Training\n  NALC HBP has not implemented a formal security awareness training program for its full-\n  time, part-time, temporary, or contractor employees.\n\n\n                                              5\n\x0c  Section 164.308(5)(i) of HIPAA states that the organization must, \xe2\x80\x9cImplement a security\n  awareness and training program for all members of its workforce (including management).\xe2\x80\x9d\n\n  Without a formal security awareness training program, employees cannot be held accountable\n  for security breaches, as they have not been properly trained. Without regular awareness\n  training, employees may not be aware of their responsibilities for protecting the organization\xe2\x80\x99s\n  resources. This lack of employee knowledge and understanding could expose NALC HBP\xe2\x80\x99s\n  confidential information to unauthorized personnel.\n\n  Recommendation 3\n  We recommend that as part of its efforts to obtain compliance with the HIPAA security rule,\n  NALC HBP implement a security awareness training program for its employees. For\n  guidance in creating a security awareness program see NIST SP 800-50, Building an\n  Information Technology Security Awareness and Training Program.\n\n  NALC HBP Response:\n  \xe2\x80\x9cThe NALC HBP is in the process of creating a security awareness program based upon\n  our own policies in conjunction with outside resources. Specifically we have contacted\n                                          regarding their \xe2\x80\x93\n  educational suite and          regarding their                         product. Upon\n  selection of the appropriate product, we will incorporate pertinent materials into our\n  security program.\n\n  We are anticipating an April 2014 launch for our security awareness training program for\n  all employees and will update our new employee educational material to address the\n  security requirements.\xe2\x80\x9d\n\n  OIG Reply:\n  As part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s\n  Healthcare and Insurance Office (HIO) with supporting evidence when a security awareness\n  training program has been developed and implemented.\n\n3. Specialized Training\n  Personnel responsible for the administrative, technical, and operational security of NALC\n  HBP\xe2\x80\x99s technical operating environment do not receive the routine training necessary to\n  adequately monitor and maintain the Plan\xe2\x80\x99s network infrastructure and external access points\n  to its information system resources.\n\n  According to NIST SP 800-12 Chapter 13, \xe2\x80\x9cMany groups need more advanced or more\n  specialized training than just basic security practices. For example, managers may need to\n  understand security consequences and costs so they can factor security into their decisions, or\n  system administrators may need to know how to implement and use specific access control\n  products. . . . A security training program normally includes training classes, either strictly\n  devoted to security or as added special section or modules within existing training classes.\n\n                                               6\n\x0c   Training may be computer- or lecture-based (or both), and may include hands-on practice and\n   case studies.\xe2\x80\x9d\n\n   Without a specialized training program, the personnel responsible for IT security at NALC\n   HBP are not equipped with the necessary knowledge to identify and address security\n   weaknesses, implement and use access control and system monitoring tools, or understand the\n   security consequences and costs that should be factored into their decisions.\n\n   Recommendation 4\n   We recommend that NALC HBP develop and implement a training program for employees\n   with IT security responsibilities. The program should include:\n   \xe2\x80\xa2   A process to identify and categorize positions with security responsibilities;\n   \xe2\x80\xa2   Inclusion of specialized security training requirements within job descriptions;\n   \xe2\x80\xa2   Opportunities to seek and maintain technical certifications;\n   \xe2\x80\xa2   Documentation of training completed by each employee; and\n   \xe2\x80\xa2   A periodic review of employee records to ensure that specialized security training is\n       completed in accordance with standards.\n\n   NALC HBP Response:\n   \xe2\x80\x9cThe NALC HBP is reviewing outside sources for purposes of establishing specialized\n   training for employees with IT security responsibilities, which will include the bulleted\n   items above. The sources contacted to date are\n                        .\n\n   The NALC HBP has always encouraged and has a documented history of allowing our\n   employees opportunities to seek and maintain technical certifications.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s HIO\n   with evidence when a training program for employees with elevated IT security\n   responsibilities has been developed and implemented.\n\n4. Risk Assessment\n   NALC HBP has not established a risk management program that identifies, classifies, and\n   mitigates human or environmental threats to its computer-based operating environment.\n\n   According to FISCAM, \xe2\x80\x9cRisk assessments should consider data sensitivity and integrity and\n   the range of risks that an entity\'s systems and data may be subject to, including those posed by\n   authorized internal and external users, as well as unauthorized outsiders who may try to \'break\n   into\' the systems.\xe2\x80\x9d\n\n   HIPAA Security and Privacy Standard 164.308(a)(l)(ii), requires organizations to:\n   \xe2\x80\x9c(A). . . Conduct accurate and thorough assessment of the potential risks and vulnerabilities\n   to the confidentiality, integrity, and availability of electronic protected health information. . . .\n                                                   7\n\x0c      (B). . . Implement security measures sufficient to reduce risks and vulnerabilities to a\n      reasonable and appropriate level.\xe2\x80\x9d\n\n      Recommendation 5\n      We recommend that NALC HBP develop and implement a risk management policy and a risk\n      assessment methodology. NIST SP 800-30 Revision 1 serves as an excellent reference to\n      assist NALC HBP with the development of its risk management program. Implementation of\n      the suggested framework would also help NALC HBP obtain compliance with the HIPAA\n      Security Rule.\n\n      NALC HBP Response:\n      \xe2\x80\x9cThe NALC HBP policy is now formally documented in IS-19 IT Risk Management Policy\n      and will be effective on February 1, 2014.\xe2\x80\x9d\n\n      OIG Reply:\n      The evidence provided by NALC HBP in response to the draft audit report indicates that the\n      Plan has developed and implemented a risk management policy and a risk assessment\n      methodology; no further action is required.\n\nB. Access Controls\n  Access controls are the policies, procedures, and techniques used to prevent or detect\n  unauthorized physical or logical access to sensitive resources.\n\n  We examined the physical access controls of NALC HBP\xe2\x80\x99s facility and data center. We also\n  examined the logical controls protecting sensitive data in NALC HBP\xe2\x80\x99s network environment\n  and claims processing related applications.\n\n  The access controls observed during this audit include, but are not limited to:\n  \xe2\x80\xa2   Procedures for appropriately authorizing physical access to the facility and data center; and\n  \xe2\x80\xa2   Procedures for revoking access to the facility and data center for terminated employees.\n\n  The following sections document several opportunities for improvement related to NALC HBP\xe2\x80\x99s\n  physical and logical access controls.\n\n  1. Password policy\n      NALC HBP does not have policies or procedures for creating, changing, and safeguarding\n      passwords. In addition, the current configuration of password-related values for\n                                 do not provide adequate protection against unauthorized system\n      access.\n\n      Section 164.308(5)(ii)(D) of the HIPAA security rule requires an organization to document\n      procedures for creating, changing, and safeguarding passwords; FISCAM provides password\n      guidelines; and NIST SP 800-14 outlines requirements for the creation and maintenance of\n      IDs and passwords.\n                                                    8\n\x0c   Failure to implement a strong password policy puts sensitive data at risk to malicious attacks.\n\n   Recommendation 6\n   We recommend that NALC HBP implement a password policy that closely reflects industry\n   standards.\n\n   NALC HBP Response:\n   "The NALC HBP policy is now formally documented in IS-05 Account Management\n   Policy and will be effective on February 1, 2014. We believe the policy provides\n   appropriate safeguards in light ofNALC HBP\'s business needs."\n\n   OIGReply: \n\n   The evidence provided by NALC HBP in response to the dr aft audit rep01t indicates that the \n\n   Plan has implemented a password policy that utilizes industry best practices; no ftnth er \n\n   action is required. \n\n\n   Recommendation 7\n                                                                                        password\n   setting weaknesses once a standard p """""\xc2\xb7\xc2\xb7rl\n   organization.\n\n   NALC HBP Response:\n   "The NALC HBP policy is now formally documented in IS-05 Account Management\n   Policy and will be effective on February 1, 2014."\n\n   OIGReply:\n   The evidence provided by NALC HBP in response to the dr aft audit rep01t indicates that the\n   Plan has implemented a password policy that utilizes industry best practices. However, as\n   prut of the audit resolution     we recommend that NALC HBP provide OPM\'s HIO\n   with evidence that                                            password settings comply with\n   th e Plan\'s new\n\n2. Segregation of duties\n   NALC HBP has three domain administr\xc2\xb7ators that shru\xc2\xb7e a single user account f o \xc2\xad\n   This user accmmt is not monitored and audit logs of the accmmt\'s activity ru\xc2\xb7e not reviewed.\n\n   FISCAM states that "Work responsibilities should be segregated so that one individual does\n   not contr\xc2\xb7ol all critical stages of a process."\n\n   NIST SP 800-53, Revision 4, states that the organization must sepru\xc2\xb7ate "duties of individuals\n   as necessary, to prevent malevolent activity without collusion; documents sepru\xc2\xb7ation of\n   duties; and implements separation of duties through assigned infonnation system access\n   authorizations."\n\n                                                9\n\n\x0cFailure to implement adequate segregation of duties increases the risk that enoneous or\nfraudulent u\xc2\xb7ansactions could be processed, that improper changes could be implemented, or\nthat computer resources could be dam aged or desu\xc2\xb7oyed. With no routine review of\nprivileged user activity, NALC HBP is not able to link users to specific tasks perf01med.\nThis increases the risk that malicious activity could go lmdetected and sensitive inf01mation\ncould be compromised.\n\nRecommendation 8\nWe recommend that NALC HBP establish lmique user accounts for each privileged user.\n\nNALC HBP Response:\n"The NALC HBP has created unique user accounts for privileged users. Atpresent, three\nInformation Syste1~enior managers have unique privileged accounts on the\nnetwork and on th~ The Network Administrator has a unique privileged account\non the network but not on th~ The Programming Staffmembers have a lesser set\nofprivileges on th~ than the senior managers but ~ial network privileges.\nThe Operations staffhas a unique set ofprivileges on t h e - that are different than\nthe programming staffand lesser than the senior managers and have a unique set of\nprivileges on the network that are lesser than the senior managers.\n\nThe NALC HBP policy is now formally documented in IS-04 Access Control Policy and\nwill be effective on February 1, 2014."\n\nOIGReply:\nThe evidence provided by NALC HBP in response to the draft audit rep01t indicates that the\nPlan has established lmique user accmmts for privileged users; no fiuther action is required.\n\nRecommendation 9\nWe recommend that NALC HBP implement a process to routinely review privileged user\nactivities.\n\nNALC HBP Response:\n"We have contracted with a third-party to provide an appliance and application that will\nallow them to monitor account activity on our behalf. This will provide real-time alerts\nbased upon the sensitivity settings and will allow immediate review as required. A full\nreview will be conducted weekly by internal and/or the third party sources.\n\nThe NALC HBP policy is now formally documented in IS-18 Monitoring and Log\nManagement Policy."\n\n\n\n\n                                            10 \n\n\x0c   OIG Reply:\n   The evidence provided by NALC HBP in response to the draft audit report indicates that the\n   Plan has implemented a process to routinely review privileged user activities; no further\n   action is required.\n\n3. Monitoring of Active Accounts\n   NALC HBP does not audit or review                                  user accounts. For\n   accounts, the database administrator selects a subset of accounts to review, but there is no\n   formal procedure in place outlining what should be looked at during this review. We\n   performed a test to evaluate whether administrators are appropriately removing an\n   employee\xe2\x80\x99s logical access after termination. The results indicated that seven\n                     accounts were not properly removed after the employees\xe2\x80\x99 termination.\n\n   NALC HBP has no process in place to review the appropriate level of access for active user\n   accounts for any of the applications used to gain access to sensitive data. We could not\n   conduct independent testing for appropriateness because NALC HBP does not document the\n   access level approved for each user.\n\n   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPPA\n   Security Rule, states that organizations should develop \xe2\x80\x9cprocedures for reviewing and, if\n   appropriate, modifying access authorizations for existing users.\xe2\x80\x9d Furthermore, NIST SP 800-\n   12, An Introduction to Computer Security, states that access reviews should \xe2\x80\x9cexamine the\n   levels of access each individual has, conformity with the concept of least privilege, whether\n   all accounts are still active, whether management authorizations are up-to-date, whether\n   required training has been completed, and so forth.\xe2\x80\x9d\n\n   Recommendation 10\n   We recommend that NALC HBP implement a process to review logical access to all of its\n   systems and supporting applications to ensure that no terminated individuals retain access.\n\n   NALC HBP Response:\n   \xe2\x80\x9cA list of all active employees will be forwarded to the Information Systems Department by\n   the Human Resources department                            The Information Systems\n   Department will compare the list against active network accounts and active\n   accounts for accuracy. Accounts will be adjusted accordingly.\n\n   Documentation of the review will be retained in the Human Resources Department.\n\n   The NALC HBP policy is now formally documented in IS-04 Access Control Policy and\n   will be effective on February 1, 2014.\xe2\x80\x9d\n\n\n\n\n                                               11\n\x0c   OIGReply:\n   The evidence provided by NALC HBP in response to the dr aft audit rep01t indicates that the\n   Plan has implemented a process to review access to all of its systems to ensure that no\n   tenninated individuals retain access; no ftnther action is required.\n\n   Recommendation 11\n   We recommend that NALC HBP implement a process to review active user accounts across\n   major applications for appropriateness.\n\n   NALC HBP Response:\n   "The Information Systems Department will c o n d u c t - review ofall network\n   accor~opriate levels ofaccess. The NALC HBP is assessing a monitoring tool\n   from _ , o r - accounts to en sure appropriate levels ofaccess. The\n   Information Systems Department will compare the list against active network accounts and\n   active- accounts for accuracy. Accounts will be adjusted accordingly.\n\n   The NALC HBP policy is now formally documented in IS-04 Access Control Policy and\n   will be effective on February 1, 2014."\n\n   OIGReply:\n   The evidence provided by NALC HBP in response to the dr aft audit rep01t indicates that the\n   Plan has implemented a process review the level of access for active user accmmts for all\n   applications containing sensitive data; no ftnt her action is required.\n\n4. \t Weakn esses Identified in Physical Access Controls\n   Data Center\n   NALC HBP \'s data center did not contain several controls that we typically obsetve at similar\n   facilities, including:\n   \xe2\x80\xa2 \t multi-factor authentication to enter the computer room (e.g., cipher lock or biometric\n       device in addition to an access card);\n   \xe2\x80\xa2 \t piggybacking almm s to enter the computer room (almm that sounds if more than one\n       person walks past a sensor for each access card that is swiped); and\n   \xe2\x80\xa2 \t video monitoring at the entrances.\n\n\n\n\n   Failure to implement proper physical access controls increases the risk that unauthorized\n   individuals can gain access to NALC HBP\'s data. center and the sensitive resources and\n   confidential data. it contains.\n\n\n\n                                               12 \n\n\x0cNIST SP 800-53 Revision 4 provides guidance for adequately controlling physical access to\ninformation systems containing sensitive data.\n\nRecommendation 12\nWe recommend that NALC HBP improve the physical access controls at its data center. At a\nminimum, the computer room should have multi-factor authentication and piggybacking\ncontrols at both entrances.\n\nNALC HBP Response:\n\xe2\x80\x9cThe NALC HBP is in agreement and is soliciting proposals from qualified vendors to\naugment the current physical access controls at its data center to include multi-factor\nauthentication and alarm-based anti-piggyback controls at both entrances.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s HIO\nwith evidence when physical access controls at the data center have been improved to include\nmulti-factor authentication and anti-piggybacking controls.\n\nFacility\nNALC controls physical access to its facility with proximity card readers, CCTV surveillance\nand security guards posted inside the building\xe2\x80\x99s two main entrances. However, the following\nelements of NALC HBP\xe2\x80\x99s facility security controls could be improved:\n\xe2\x80\xa2   a routine audit of active access cards;\n\xe2\x80\xa2   a recertification process for employees with specialized access to the building;\n\xe2\x80\xa2   the temporary badge termination process; and\n\xe2\x80\xa2   implement piggybacking controls.\n\nWe compared a list of employees that were terminated within the last three years to a list of\nactive access cards and discovered that six terminated employees still had access to NALC\nHBP\xe2\x80\x99s facility. In response to this test finding NALC HBP immediately removed the access\nof the terminated employees.\n\nA limited group of employees, including the Director and senior management, are granted\nunrestricted access at every entrance to NALC HBP\xe2\x80\x99s facility 24 hours a day and 7 days a\nweek. However, there is currently no process in place to recertify that these employees still\nrequire this level of access to the facility.\n\nTemporary badges for visitors could be set to expire after a certain pre-determined period of\ntime; however, NALC HBP does not enforce this. When access for a visitor is no longer\nrequired, an email is manually sent to the facilities director as a reminder to remove the\nvisitor\xe2\x80\x99s access.\n\n\n\n\n                                            13\n\x0cIn addition, NALC HBP does not have physical access controls in place to prevent\nemployees from piggybacking into secure areas (one person using an electronic access card\nto open a door, then holding that door open while others enter).\n\nFISCAM states that \xe2\x80\x9cControls should accommodate employees who work at the entity\xe2\x80\x99s\nfacilities on an everyday basis; occasional visitors, such as employees of another entity\nfacility or maintenance people; and infrequent or unexpected visitors. Physical controls vary,\nbut include: manual door or cipher key locks, magnetic door locks that require the use of\nelectronic keycards, biometrics authentication, security guards, photo IDs, entry logs, and\nelectronic and visual surveillance systems.\xe2\x80\x9d\n\nAlso, FISCAM states that \xe2\x80\x9cBy obtaining physical access to computer facilities and\nequipment, an individual could (1) obtain access to terminals or telecommunications\nequipment that provide input into the computer, (2) obtain access to confidential or sensitive\ninformation on magnetic or printed media, (3) substitute unauthorized data or programs, or\n(4) steal or inflict malicious damage on computer equipment and software.\xe2\x80\x9d\n\nIn addition, NIST SP 800-53 Revision 4 provides guidance for adequately controlling\nphysical access to information systems containing sensitive data.\n\nRecommendation 13\nWe recommend that NALC HBP implement a process for routinely auditing all active access\ncards to ensure that they are not assigned to terminated employees.\n\nNALC HBP Response:\n\xe2\x80\x9cA list of all active access cards will be forwarded by the facilities manager\n      to Human Resources to ensure\n\n\xe2\x80\xa2   Cards are issued to active employees only\n\xe2\x80\xa2   Access level is appropriate for duties\n\xe2\x80\xa2   Card number corresponds with ID number\n\nThe review of active access cards will be conducted by the Human Resources Department\nstaff and a log of the event review will be maintained in that department.\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security\nPolicy and will be effective on February 1, 2014. These are also reflected in HR Policies\nand Procedures Manual.\xe2\x80\x9d\n\nOIG Reply:\nThe evidence provided by NALC HBP in response to the draft audit report indicates that the\nPlan has implemented a process to routinely audit all active access cards to ensure they are\nno longer assigned to terminated employees; no further action is required.\n\n\n\n                                            14\n\x0cRecommendation 14\nWe recommend that NALC HBP implement a process to routinely recertify that employees\nwith specialized access still require such access. If no specialized access is required, then the\naccess level should be adjusted accordingly.\n\nNALC HBP Response:\n\xe2\x80\x9cA list of all specialized Access Cards will be forwarded                 to the\nAdministrative Office for review or more frequently as changes become necessary. Upon\nreview, specialized access will be adjusted accordingly.\n\nDocumentation of the review will be retained in the Human Resources Department.\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security\nPolicy and will be effective on February 1, 2014. These are also reflected in HR Policies\nand Procedures Manual.\xe2\x80\x9d\n\nOIG Reply:\nThe evidence provided by NALC HBP in response to the draft audit report indicates that the\nPlan has implemented a recertification process to ensure employees with specialized access\nstill require that level of access and when that access is no longer required it is promptly\nremoved; no further action is required.\n\nRecommendation 15\nWe recommend that NALC HBP implement a process to automatically disable temporary\naccess badges.\n\nNALC HBP Response:\n\xe2\x80\x9cTemporary cards are activated upon request from Human Resources when an employee\nforgets their permanent access badge. Our current system is unable to deactivate\nautomatically. An RFI is being solicited for upgrade/replacement of Access System.\n\nIn the interim, temporary cards are deactivated manually                                 .\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security\nPolicy and will be effective on February 1, 2014. These are also reflected in HR Policies\nand Procedures Manual.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s HIO\nwith evidence of the upgraded/replacement badging system.\n\n\n\n\n                                             15\n\x0c     Recommendation 16\n     We recommend that NALC HBP reassess the physical access controls at its facility and\n     implement controls that will ensure proper physical security. At a minimum, NALC HBP\n     should implement a piggybacking control at the two main entrances to the facility.\n\n     NALC HBP Response:\n     \xe2\x80\x9cThe NALC HBP acknowledges the concern and has been actively investigating potential\n     solutions to address the piggybacking issue highlighted by the OIG. While similar in\n     nature to the concern raised with respect to the data center controls, we have determined\n     the approach must be different due to the higher volume of employees passing through\n     these entrances, and may involve the use of a turnstile or similar system. Any modification\n     of the two main entrances of this nature must also be fully ADA compliant, will require\n     building owner authorization and the appropriate building code permits.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s HIO\n     with evidence once the Plan has implemented an appropriate level of physical access controls\n     at the two main entrances to their facility.\n\nC. Network Security\n  Network security includes the policies and controls used to prevent or detect unauthorized\n  access, misuse, modification, or denial of a computer network and network-accessible resources.\n  NALC HBP has recently begun to implement an incident response and network security\n  program.\n\n  We evaluated NALC HBP\xe2\x80\x99s network security program and reviewed the results of several\n  automated vulnerability scans we performed during this audit. We noted the following\n  opportunities for improvement related to NALC HBP\xe2\x80\x99s network security controls.\n\n  1. Incident Response\n     NALC HBP has not implemented a formal incident response policy or procedure. NALC\n     HBP has recently implemented an intrusion detection system that, if configured\n     appropriately, has the ability to detect certain levels of intrusion activity and automatically\n     notify relevant personnel. However, NALC HBP has not formally identified what constitutes\n     an intrusion, and the system has not been configured to notify personnel.\n\n     NIST SP 800-53 Revision 4 requires an organization to develop, document and disseminate\n     an incident response policy that addresses purpose, scope, roles, responsibilities,\n     management commitment, coordination among organizational entities, and compliance as\n     well as procedures to facilitate the implementation of the incident response policy and\n     associated incident response controls.\n\n\n\n\n                                                 16\n\x0c   Recommendation 17\n   We recommend that NALC HBP develop and implement incident response policies and\n   procedures in accordance with NIST SP 800-53 Revision 4.\n\n   NALC HBP Response:\n   "The NALC HBP policy is 11ow formally documented in IS-15 Incident Management\n   Policy and will be effective 011 February 1, 2014."\n\n   OIG Reply:\n   The evidence provided by NALC HBP in response to the draft audit repmi indicates that the\n   Plan has developed and implemented incident response policies and procedures in\n   accordance with NIST guidance; no fmiher action is required.\n\n2. Full Scope Vulnerability Scanning\n   We conducted a review ofNALC HBP\'s computer server vulnerability management program\n   to determine if adequate controls were in place to detect, track, and remediate vulnerabilities.\n\n   NALC HBP has not implemented a thorough vulnerability scanning methodology to detect\n   known weaknesses, and its server environment has only been subject to a single vulnerability\n   scan. NIST SP 800-53 Revision 4 states that the organization should routinely scan "for\n   vulnerabilities in the information system and hosted applications ... ."\n\n   Failure to petfmm full scope vulnerability scanning increases the risk that NALC HBP \' s\n   systems contain security vulnerabilities that could lead to sensitive data being st:olen or\n   destroyed.\n\n   Recommendation 18\n   We recommend that NALC HBP implement a methodology to routinely conduct\n   vulnerability scans on its entire network environment, and to remediate vulnerabilities\n   detected during scans in a timely manner.\n\n\n\n\n  - .\n   NALC HBP Response:\n   "The NALC HBP has deployed a vulnerability scanning product from\n\n\n   The product proactively scans our environment for misconjigllratious, vulnerabilities and\n   ma/ware and provides guidance for mitigating risk.\n\n   An automated vulnerability scan is performed 011 all\n   -          on                 A manual scan             an                   servers\n   performed on                  Due to the           nature of t h e - Systems,\n   appropriate staff will be 011  during the scan iu the event of an issue.. ..\n\n   Vulnerabilities are remediated in a timely manner according to their level of criticality.\n                                                17\n\x0c   A vulnerability trend report showing progress of the remediation process is emailed to\n   appropriate staff on a monthly basis.\n\n   The NALC HBP policy is now formally documented in IS-10 Malicious Software\n   Management Policy and will be effective on February 1, 2014."\n\n   OIGReply:\n   The evidence provided by NALC HBP in response to the draft audit report indicates that the\n   Plan has implemented a process to routinely conduct vulnerability scans on the entire\n   network environment. However, as part of the audit resolution process, we recommend that\n   the Plan provide OPM\' s HIO with evidence o f t h e - c a n reports, vulnerability\n   tracking system, and evidence of remediation.         \xc2\xb7\n\n3. Vulnerabilities Identified by OIG Scans\n   System Patching\n   NALC HBP has not documented its patch management policies and procedures. The results\n   of our vulnerability scans indicate that critical patches, service packs, and hot fixes are not\n   implemented in a timely manner.\n\n   FISCAM states that "software should be scanned and updated frequently to guard against\n   known vulnerabilities." NIST SP 800-53 Revision 4 requires that "The organization\n   (including any contractor to the organization) promptly installs security-relevant software\n   updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security\n   assessments, continuous monitoring, incident response activities, or information system error\n   handling, are also addressed expeditiously."\n\n   Failure to promptly install important updates increases the risk that vulnerabilities will not be\n   remediated and sensitive information could be compromised.\n\n   Recommendation 19\n   We recommend that NALC HBP implement procedures and controls to ensure that its\n   servers are updated with the appropriate patches, service packs, and hotfixes on a timely\n   basis.\n\n\n\n   "The Plan                             in order to address this finding."\n\n   OIG Reply:\n   The evidence provided by NALC HBP in response to the draft audit report indicates that the\n   Plan has implemented procedures and software to ensure that its servers are updated with the\n   appropriate patches, service packs, and hotfixes on a timely basis; no further action is\n   required.\n\n\n\n                                                18\n\x0c\x0c\x0c5. Firewall Management\n   NALC HBP has implemented and utilizes a firewall to protect its network environment.\n   However, a firewall policy, a routine compliance review process, and a firewall change\n   control process have not been formally documented.\n\n   NIST SP 800-41 Revision 1 states that a firewall policy should dictate how firewalls handle\n   network traffic based on the organization\xe2\x80\x99s information security policies, and a risk analysis\n   should be performed to determine types of traffic needed by the organization. The policy\n   should also include specific guidance on how to address changes to the rule set.\n\n   Failure to develop a firewall configuration policy and manage the settings increases the\n   organization\xe2\x80\x99s exposure to unsecure traffic and vulnerabilities.\n\n   Recommendation 23\n   We recommend that NALC HBP develop a formal firewall management policy.\n\n   NALC HBP Response:\n   \xe2\x80\x9cThe NALC HBP policy is now formally documented in IS-11 Network Security\n   Management Policy and will be effective on February 1, 2014.\n\n   Baseline configurations are being established as part of the implementation and training\n   process for the new firewall.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by NALC HBP in response to the draft audit report indicates that the\n   Plan has documented a formal firewall management policy; no further action is required.\n\n   Recommendation 24\n   We recommend that NALC HBP implement a process to conduct routine configuration\n   compliance reviews of its network firewalls.\n\n   NALC HBP Response:\n   \xe2\x80\x9cAs part of the new firewall implementation process, the technician performing the\n   installation will assist in establishing configuration compliance review methodology.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence when a process to conduct routine configuration compliance reviews on the\n   firewalls has been implemented.\n\n\n\n\n                                               21\n\x0cD. Configuration Management\n  System Software\n  NALC HBP \'s claims processing\n  and additional supp01iing applications are   ma\n  eval uated NALC HBP \'s configuration management\n\n  The sections below document areas for improvement related to NALC HBP\'s configuration\n  man agement controls.\n\n  1. Configuration Management Policies and Procedures\n     NALC HBP has not developed configuration policies and procedures related to ensuring its\n     computer servers are configured in a secure manner. In addition, NALC HBP has not\n     documented a f01m al baseline configuration for its computer se1vers. A baseline\n     configuration is a f01m ally approved stan dard outlining how to securely configure various\n     operating platfonns .\n\n     NIST SP 800-53 Revision 4 requir es an organization to develop a configuration management\n     policy that addresses purpose, scope, roles, responsibilities, management commitment,\n     coordination among organizational entities, and complian ce, as well as procedures to\n     facilitate the implementation of the configuration management policy and associated\n     configuration management controls.\n\n     In addition, NIST SP 800-53 Revision 4 states that an organization must develop, document,\n     and maintain a current baseline configuration of the inf01m ation system .\n\n     Failure to establish approved system configuration settings increases the risk the system may\n     not be configured in a secure manner.\n\n     Recommendation 25\n     We recommend that NALC HBP develop cmporate configuration management policies an d\n     procedures in accordan ce with NIST SP 800-53 Revision 4 guidelines.\n\n     NALC HBP Response:\n     "The NALC HBP is in the process ofdocumenting our configuration managem ent policies\n     and procedures in accordance with the NIST guidelines. A s this requires research across\n     many platforms and operating systems, the process has required more research and\n     planning than we had anticipated. We are so~ outside resources and reviewing\n     compliance and monitoring products for the -       side ofour environment and are\n     researching United States Government Baseline Configuration - N ational Checklist\n     Program for o u r - policies and procedures.\n\n     We are targeting th e second quarter 2014 for having management policies fully form ed."\n\n\n\n                                                22 \n\n\x0c   OIGReply:\n   As pa1t of the audit resolution process, we recommend that NALC HBP provide OPM \'s HIO\n   with evidence when the plan has developed and implemented c01porate configuration\n   management policies and procedures in accordance with NIST guidance.\n\n2. Configuration Compliance Auditing\n   As noted above, NALC HBP does not maintain approved operating platfonn security\n   configurations, and therefore cannot effectively audit its systems security settings (i.e., there\n   are no approved settings to which to compare the actual settings) .\n\n   NIST SP 800-53 Revision 4 states that an organization must monitor and control changes to\n   the configuration settings in accordance with organizational policies and procedures.\n\n   FISCAM requires cunent configuration infonnation to be routinely monitored for accuracy.\n   Monitoring should address the baseline and operational configuration of the hardware,\n   software, and fitmware that comprise the inf01m ation system.\n\n   Failure to implement a thorough configuration compliance auditing program increases the\n   risk that insecurely configured setv ers exist undetected, creating a potential gateway for\n   malicious vims and hacking activity that could lead to data breaches.\n\n   Recommendation 26\n   We recommend that NALC HBP document approved baseline configurations for all\n   operating platfonns.\n\n   NALC HBP Response:\n  "The NALCHBP has completed a~ance Assessment through a n \xc2\xad\n  focu sed third party company know~as afirst step toward establishing\n  baseline configurations on that platform. We will be establishing a test partition ofour\n  production environment to assess the business impact ofimplementing the baseline\n  configurations. Our IT st~e process ofcreating a test network environment in\n  order to create a baseli n e - environment based upon United States Government\n  Baseline Configuration -National Checklist Program recommendations. "\n\n   OIGReply:\n   As prut of the audit resolution process, we recommend that NALC HBP provide OPM \'s HIO\n   with evidence when the p lan has documented an approved baseline configuration for all\n   operating platfonns.\n\n   Recommendation 27\n   We recommend that NALC HBP implement a process to routinely audit network setvers \'\n   security configuration settings to ensure they are in compliance with the approved\n   configuration baselines.\n\n\n                                                 23 \n\n\x0c   NALC HBP Response:\n   "The NALC HBP has entered into a contract with a third party known as \xc2\xad\n  -         acquire an application that will monitor for assurance that security\n  configurations are maintained according to established baselines.\n  The NALC HBP has recently reviewed~lication fro~ that will provide\n  similar capabilities for monitoring t h e - A determination will be made regarding\n  acquiring this application after product quotes are received. "\n\n   OIGReply:\n   As prut of the audit resolution process, we recommend that NALC HBP provide OPM \'s HIO\n   with evidence when the Plan has implemented a process to routinely audit network servers \'\n   secmity configm ation settings to ensme compliance with the approved configmation\n   baselines.\n\n3. System Software Change Control\n   NALC HBP maintains a mlllling list of changes made t~ However, NALC HBP\n   has not established a fonnal systems development lifecycle (SDLC) methodology with\n   c01porate approved policies and procedmes . Although a list of system changes is\n   maintained, relevant documentation related to the change is not maintained for post\xc2\xad\n   implementation review.\n\n   NIST SP 800-53 Revision 4 recommends that organizations detennine the types of changes\n   to the infonnation system that should be conu\xc2\xb7olled, approve configm ation changes to the\n   system with consideration for secmity impact analysis, document approved configm ation\n   changes, retain and review records of configmation changes, audit activities associated with\n   configmation changes, and coordinate and provide oversight for configmation change\n   conu\xc2\xb7ol.\n\n   Although all changes made to the system are documented, a f01mal policy outlining the\n   required documentation and the required approvals for all system changes has not been\n   developed. This exposes the system to unwruTanted and lmapproved changes, potentially\n   leading to system vulnerabilities.\n\n   Recommendation 28\n   We recommend that NALC implement fonnal system softwru\xc2\xb7e change control policies and\n   procedmes in accordance with NIST SP 800-53 Revision 4 to ensme that changes are\n   approved, documented, recorded, reviewed, audited, and given oversight.\n\n   NALC HBP Response:\n   "The NALC HBP has not the resources currently to institute this recommendation but will\n   be creating a testing environment for t h e - and a test network toward building a\n   compliance platform. Configuration change control procedures will follow after baselines\n   are established. Change Management Policy will be adjusted accordingly as the project\n\n\n                                              24 \n\n\x0c     unfolds. In the meantime, changes will be reviewed documented and approved according\n     to current procedures.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, we recommend that NALC HBP provide OPM\xe2\x80\x99s HIO\n     with evidence when the plan has implemented formal system software change control\n     policies and procedures in accordance with NIST guidance.\n\n  4. Password Requirements\n     NALC HBP has documented corporate password standards. However, we discovered many\n     instances where information systems did not follow the established guidelines.\n\n     NIST SP 800-53 Revision 4 requires an organization to enforce minimum password\n     complexity based on organization defined requirements.\n\n     Failure to enforce strong password requirements on information systems increases the risk\n     that the systems could be breached by brute force password attacks.\n\n     Recommendation 29\n     We recommend that NALC HBP make the appropriate system changes to ensure that all\n     systems require complex passwords that comply with the corporate policy.\n\n     NALC HBP Response:\n     \xe2\x80\x9cThe NALC HBP policy is now formally documented in IS-05 Account Management\n     Policy and will be effective on February 1, 2014.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n     with screen shots of the password configurations from the information systems indicating\n     compliance with the new corporate password policy.\n\nE. Contingency Planning\n  We reviewed NALC HBP\xe2\x80\x99s contingency planning program to determine whether controls are in\n  place to prevent or minimize interruptions to business operations when disastrous events occur.\n  We determined that the Plan has identified critical applications and routinely rotates back-up\n  data to an off-site location. However, we have serious concerns about NALC HBP\xe2\x80\x99s\n  contingency planning program and do not have confidence that the plan could maintain business\n  operations if its primary facility was disabled.\n\n  The sections below document opportunities for improvement related to NALC HBP\xe2\x80\x99s\n  contingency planning program.\n\n\n\n\n                                                25\n\x0ca) Business Impact Analysis\n   NALC HBP has not conducted an adequate business impact analysis (BIA). During the field\n   work phase of the audit we were provided with a draft version of a BIA, but it has not been\n   finalized and does not contain several of the requirements documented in NIST 800-34\n   Revision 1, Contingency Planning Guide for Federal Information Systems.\n\n   NALC HBP also has not identified the critical resources (i.e., personnel) required to support\n   critical operations and business functions in the event of a disaster, nor has it identified\n   recovery priorities. NALC HBP has created a list of critical hardware, but all items were\n   equally assigned the highest priority.\n\n   NIST 800-34 Revision 1 states that a BIA is a key step in implementing a contingency\n   planning process. Three steps involved in completing a BIA include determining business\n   processes and recovery criticality, identifying resource requirements, and identifying\n   recovery priorities for system resources. Failure to conduct a BIA increases the risk that the\n   Plan will not be able to recover critical business operations in a timely manner.\n\n   Recommendation 30\n   We recommend that NALC HBP conduct a business impact analysis in accordance with\n   NIST 800-34 Revision 1.\n\n   NALC HBP Response:\n   \xe2\x80\x9cFor Recommendations 30-36 (also see individual recommendations for specific\n   responses): The NALC HBP agrees generally with the OIG\xe2\x80\x99s overall assessment of the\n   Plan\xe2\x80\x99s contingency planning program. Prior to the commencement of the OIG\xe2\x80\x99s audit of\n   general and application controls, the Plan sought its own independent assessment of its\n   disaster recovery and business continuity capabilities, which included the aforementioned\n   draft business impact analysis. Senior management, upon reviewing the unfinalized draft\n   report, chose to move aggressively to mitigate what it saw as the most critical weaknesses\n   including the back-up data capabilities. Management remains committed to an aggressive\n   mitigation strategy and a complete redesign of its contingency planning program, which\n   will address all of the weaknesses identified by the OIG, including most significantly, the\n   Plan\xe2\x80\x99s data back-up and alternate work site capabilities. Plan documentation and testing\n   will follow accordingly in compliance with NIST and/or other best practices. At this time,\n   while management has sought proposals for on-site back-up power generation, we feel\n   other elements of the overall contingency plan redesign may obviate the need for this\n   recommendation.\n\n   With respect to OIG\xe2\x80\x99s comment that the NALC HBP does not routinely perform\n   emergency response training, we wish to clarify that while it is our intent to revisit and\n   improve all areas of our contingency planning including emergency response training, the\n   Plan does in fact routinely arrange for the members of its volunteer AED staff to recertify\n   their CPR training.\xe2\x80\x9d\n\n\n\n                                               26\n\x0c   OIGReply:\n   As pa1t of the audit resolution process, we recommend that the Plan provide OPM \'s HIO\n   with evidence once a business impact analysis has been conducted in accordance with NIST\n   guidance. With regards to NALC HBP \'s plan to redesign its contingency planning program,\n   we will work with RIO\'s audit resolution team to make the appropriate adj ustments to the\n   contingency planning related recommendations as the Plan develops its new strategy.\n\nb) Alternate Recovery Location\n   NALC HBP does not have an altem ate location to recover its computing environment in the\n   event of a disaster. We were told that NALC HBP has made arrangements to begin using\n   hardware at the NALC union headquruters building in Washington, D .C. as a backup\n   location, and production data will be mirrored between the two sites. However, NALC HBP\n   has not identified an altem ate location for employees to work and perf01m business\n   operations.\n\n   NIST SP 800-53 Revision 4 states that an organization must establish "an altem ate\n   processing site including necessruy agreements to pennit the resumption of infonnation\n   system operations for essential missions and business functions ...." Failure to establish an\n   altem ate processing site prohibits NALC HBP fro m continuing business operations in the\n   event of a disaster.\n\n   Recommendation 31\n   We recornmend that NALC HBP fully implement the data backup capabilities at the NALC\n   headquruters building.\n\n   NALC HBP Response:\n   "In August of2013 the NALC HBP conducted a major infrastructural upgrade to our IT\n   environment in order to facilitate off-site data replication. A similar environment was\n   constructed in October 2013 at our data exchange partner location, the National\n   Association ofL etter Carriers (NALC) H eadquarters in Washington D C.\n\n   The components ofthe exchange infrastructure are an\n            server environment and a\n                        A ll ofthese components are escam:zsn\n\n\n  However, both sites encountered a problem with the                           during\n  installation. The problem proved to be an obscure one                      resolved on\n  January 17, 2014. The project could not entirely move fonvard until the issu e was settled.\n  In the interim, the NALC HBP IT                  week-long training sessions for t h e .\n  - i n N ovember 2013 andfor                             elements ofthe solution in\n  December 2013.\n\n   A dditionally in December 2013, a n - technician completed a configuration evaluation,\n   firm ware updates to relevant devices, and establish ed network storage areas at this facility\n                                               27 \n\n\x0c   and at NALC HQ for purposes of replication. The technician will be returning in February\n   2014 to complete the training and begin implementation.\n\n   The            server farm was established in November 2013 but this portion of the project\n   was also placed on hold until the      issue was resolved.         training will be hands-\n   on as the project unfolds.\n\n   It is anticipated that replication will be functioning fully in the March 2014 timeframe.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence once it has fully implemented the data backup capabilities at the NALC\n   headquarters building.\n\n   Recommendation 32\n   We recommend that NALC HBP create a plan that establishes an alternate work site for its\n   employees that allows for critical business operations to continue if the main facility is not\n   accessible.\n\n   NALC HBP Response:\n   Included in the NALC HBP response to recommendation 30.\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence once a plan has been established for an alternate work site that allows for\n   critical business operations to continue in the event the main facility is inaccessible.\n\nc) Data Center Generator\n   The backup power generator at the NALC HBP facility does not have the capacity to sustain\n   the data center in the event of a prolonged power outage. NALC HBP has an uninterruptable\n   power supply that can sustain the data center for up to four hours. However, any power\n   outage lasting longer than four hours would result in the complete shutdown of operations\n   until power could be restored. This issue is compounded by the lack of an alternate recovery\n   location.\n\n   HIPAA \xc2\xa7164.308(a)(7)(ii)(C) requires covered entities to \xe2\x80\x9cEstablish (and implement as\n   needed) procedures to enable continuation of critical business processes for protection of the\n   security of electronic protected health information while operating in emergency mode.\xe2\x80\x9d\n   NALC HBP could not process claims if its facility experiences an extended power outage.\n\n   Recommendation 33\n   We recommend that NALC HBP install a power generator that can maintain data center\n   operations in the event of a power loss.\n\n                                                28\n\x0c   NALC HBP Response:\n   Included in the NALC HBP response to recommendation 30.\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence once the Plan has installed a power generator that can maintain data center\n   operations in the event of a power loss, or implemented other controls that would address the\n   weaknesses described in this section.\n\nd) Contingency Plan\n   NALC HBP\xe2\x80\x99s contingency plan does not address many of the suggested elements of NIST\n   SP 800-34 Revision 1. NALC HBP has created a Disaster Recovery Manual that outlines\n   high level procedures to follow in the event of a disaster. However, the procedures instruct\n   disaster recovery personnel to perform actions and analysis that typically should be\n   performed before a disaster occurs, and already be documented in a contingency plan. Also,\n   the fact that NALC HBP has not conducted a BIA, established alternate recovery and\n   processing locations, or identified critical resources drastically reduces the effectiveness of\n   the Disaster Recovery Manual.\n\n   NIST SP 800-34 Revision 1 identifies the five main components of a contingency plan, as\n   follows: Supporting Information, Activation and Notification Phase, Recovery Phase,\n   Reconstitution Phase, and Appendices. Failure to establish a thorough contingency plan\n   increases the risk that NALC HBP will not be able to continue business operations in the\n   event of a disaster.\n\n   Recommendation 34\n   We recommend that NALC HBP update its Disaster Recovery Manual in accordance with\n   NIST SP 800-34 Revision 1.\n\n   NALC HBP Response:\n   Included in the NALC HBP response to recommendation 30.\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence once the Disaster Recovery manual has been updated in accordance with NIST\n   guidance.\n\ne) Contingency Plan Testing\n   NALC HBP does not perform contingency plan testing. We were told that the Plan has at\n   one time restored data from back-up tapes. However, the restoration occurred several years\n   ago and was performed on the production environment at the main facility. NALC HBP has\n   never restored data at an alternate location.\n\n\n                                               29\n\x0c   NIST SP 800-34 Revision 1 states that contingency plan testing \xe2\x80\x9cis a critical element of a\n   viable contingency capability. Testing enables plan deficiencies to be identified and\n   addressed by validating one or more of the system components and the operability of the\n   plan.\xe2\x80\x9d NIST SP 800-53 Revision 4 states that the organization must review the contingency\n   plan test results and initiate corrective action. Failure to test the contingency plan increases\n   the risk that NALC HBP will not be able to recover business operations if unexpected events\n   occur.\n\n   Recommendation 35\n   We recommend that NALC HBP routinely test its contingency plan and incorporate the\n   results into the contingency plan.\n\n   NALC HBP Response:\n   Included in the NALC HBP response to recommendation 30.\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence that the contingency plan is routinely tested and the results incorporated into\n   plan updates.\n\nf) Emergency Response Training\n   NALC HBP does not routinely perform emergency response training. The Plan conducts\n   periodic evacuation drills and has procedures for activating the fire suppression system in the\n   data center. However, there is no periodic training for employees with emergency response\n   responsibilities.\n\n   NIST SP 800-53 Revision 4 states that the Plan should train \xe2\x80\x9cpersonnel in their contingency\n   roles and responsibilities with respect to the information system and provides refresher\n   training.\xe2\x80\x9d Failure to conduct periodic emergency response training would increase the risk\n   that human life, equipment, and sensitive data would be lost.\n\n   Recommendation 36\n   We recommend that NALC HBP provide periodic emergency response training to\n   individuals with emergency response responsibilities.\n\n   NALC HBP Response:\n   Included in the NALC HBP response to recommendation 30.\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the Plan provide OPM\xe2\x80\x99s HIO\n   with evidence that employees with emergency response responsibilities are provided periodic\n   training relevant to their roles in business continuity and disaster recovery.\n\n\n                                                30\n\x0cF. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  NALC HBP\xe2\x80\x99s claims adjudication process.\n\n  1. Application Configuration Management\n     System Development Life Cycle Methodology\n     NALC HBP has not implemented a standard SDLC methodology for managing application\n     development. NALC HBP owns a change management software product, but usage policies\n     and procedures have not been formally defined.\n\n     According to FISCAM, \xe2\x80\x9cThe entity should have a documented SDLC methodology that\n     details the procedures that are to be followed when applications are being developed, as well\n     as when they are subsequently modified.\xe2\x80\x9d\n\n     Failure to implement a standard SDLC methodology increases the risk that unapproved and\n     improperly tested changes are introduced into the production environment.\n\n     Recommendation 37\n     We recommend that NALC HBP implement a formal SDLC methodology that defines\n     responsibilities for each employee within the change control process. This process should\n     require standardized documentation for all steps of the change control process.\n\n     NALC HBP Response:\n     \xe2\x80\x9cThe NALC HBP policy is now formally documented in IS-30 System Development\n     Lifecycle Policy and will be effective on February 1, 2014.\xe2\x80\x9d\n\n     OIG Reply:\n     The evidence provided by NALC HBP in response to the draft audit report indicates that the\n     Plan has implemented a formal SDLC methodology that defines responsibilities for each\n     employee within the change control process. The process also includes standardized\n     documentation for all steps of the change control process; no further action is required.\n\n  2. Claims Processing System\n     We evaluated the input, processing, and output controls associated with NALC HBP\xe2\x80\x99s claims\n     processing system. We determined that NALC HBP has implemented policies and\n     procedures to help ensure that:\n     \xe2\x80\xa2 paper claims that are received in the mail room are tracked to ensure timely processing;\n     \xe2\x80\xa2 claims are monitored as they are processed through the system; and\n     \xe2\x80\xa2 claims scheduled for payment are actually paid.\n\n\n\n\n                                                 31\n\x0c3. Enrollment\n   We evaluated NALC HBP\'s procedures for managing its database of member enrollment\n   data. Changes to member enrollment inf01mation are primarily received via an encrypted\n   electronic transmission. Enrollment changes are processed on a weekly basis. NALC HBP\n   has an audit ftmction for each step of the enrollment process. We do not have any concems\n   regarding NALC HBP \' s enrollment policies and procedures.\n\n4. Debarment\n   NALC HBP has adequate procedures for updating its claims system with debaned provider\n   information. NALC HBP downloads the OPM OIG debannent list eve1y month and converts\n   the file to a f01mat that is loaded into the Plan\'s claims processing system. Any debarred\n   providers that appear in NALC HBP\'s provider database are flagged to prevent claims\n   submitted by that provider from being inappropriately paid during the claims adjudication\n   process. Nothing came to our attention to indicate that NALC HBP has not implemented\n   adequate controls over the debmment process.\n\n5. Application Controls Testing\n   We conducted a test on NALC HBP\' s claims adjudication application to evaluate the\n   system\'s processing controls. The exercise involved processing test claims designed with\n   inherent flaws and evaluating the manner in which NALC HBP \' s systems adjudicated the\n   claims. Our test results indicated that NALC HBP\'s system has controls and system edits in\n   place to identify the following scenarios:\n   \xe2\x80\xa2   timely filing;\n   \xe2\x80\xa2   enrolhnent inconsistencies;\n   \xe2\x80\xa2   invalid date of se1vice;\n   \xe2\x80\xa2   chiropractic benefit stmcture;\n   \xe2\x80\xa2   duplicate claims; and\n   \xe2\x80\xa2   coordination of workers compensation.\n\n   The sections below document opporh.mities for improvement related to NALC\' s claims\n   application controls.\n\n   a. Medical Editing\n       Our claims testing exercise identified several scenm\xc2\xb7ios where NALC HBP\'s claims\n       system failed to detect medical inconsistencies. For each of the following scenarios, a\n       test claim was processed and paid without encmmte1ing any edits detecting the\n       inconsistency:\n\n       \xe2\x80\xa2\n       \xe2\x80\xa2\n\n                                               32 \n\n\x0c     \xe2\x80\xa2\n     \xe2\x80\xa2\n     \xe2\x80\xa2\n     \xe2\x80\xa2\n\n     These system weaknesses increase the risk that benefits are being paid for procedures that\n     were not actually performed.\n\n     Recommendation 38\n     We recommend that NALC HBP make the appropriate system modifications to prevent\n     medically inconsistent claims fTom being processed.\n\n     NALC HBP Response:\n      "For Recommendations 38-41: The original application control testing that was\n     conducted on the Plan\'s claim system did not include all the processes that the Plan\n     employs to adjudicate a claim, i.e., it was not conducted as an end-to-end test, but\n     focused exclusively on the claim system. The attached spreadsheet (OIG Test Claims)\n     lists the claims scenarios and includes comments from the Plan and Cigna which take\n     into account our end-to-end claims process.\n\n     In addition, the Plan performs post-payment audits daily to ensure that claims are\n     being adjudicated correctly. The audits performed by our internal Audit Department\n     are described below. ...\n\n     We believe that the process as a whole provides sufficient protections against the\n     inappropriate payment ofclaims. In addition, the Plan is actively investigating the\n     purchase ofa clinically based claims audit program that applies edits to claims during\n     the adjudication process as a further level ofprotection."\n\n     OIGReply:\n     NALC HBP\'s response indicates that the application control testing performed during\n     this audit did not properly reflect all the controls that the Plan employs to adjudicate a\n     claim in the production environment. However, to date no evidence has been provided to\n     support this position. If and when the Plan is able to provide evidence of the controls\n     present in the end-to-end adjudication process, we will perfonn additional testing as patt\n     of a supplemental or follow-up audit. The recommendations in this section of the repott\n     should remain open until NALC HBP has successfully demonstrated that the weaknesses\n     described do not exist in its claims processing system.\n\nb.\n     Test claims were processed that violate\n\n                                               33 \n\n\x0c     This system weakness increases the risk that benefits are being paid for procedmes that\n     were not actually performed.\n\n     Recommendation 39\n     We recommend that NALC HBP make the appropriate system modifications to enforce\n     proper procedme code billing guidelines.\n\n     NALC HBP Response:\n     Included in the NALC HBP response to Recommendation 38.\n\n     OIGReply:\n     As mentioned in the OIG Reply to Recommendation 38, if and when the Plan is able to\n     provide evidence of the end-to-end system of controls, we will perform additional testing\n     as part of a supplemental or follow-up audit.\n\nc.\n     NALC HBP\'s claims processing\n     -claims for a member with\n\n                 does not have edits in place t\xc2\xb7o \xc2\xb7event duplicate \xc2\xad   charges for\n                  We submitted two claims fo           for one member at the same\n                    We also submitted claims or a member f o -\n                   NALC HBP inappropriately processed and paid the                serv1ces\n\n\n     This system weakness increases the risk t h a t - are being paid for duplicate .\n     expenses.\n\n     Recommendation 40\n                                                            system modifications to ensme\n     that claims are not paid for duplicate               charges.\n\n     NALC HBP Response:\n     Included in the NALC HBP response to Recommendation 38.\n\n\n\n\n                                              34 \n\n\x0c          OIG Reply:\n          As mentioned in the OIG Reply to Recommendation 38, if and when the Plan is able to\n          provide evidence of the end-to-end system of controls, we will perform additional testing\n          as part of a supplemental or follow-up audit.\n\n     d.\n          Duplicate test claims were processed for a procedure that typically\n             .\n\n          We submitted two test claims with a patient receiving a                                on\n          separate dates. These claims were processed and paid without encountering any edits.\n          Due to the similarity of these claims, we expected the second claim to be deferred by a\n          suspected duplicate edit, so that a claims processor could determine if the claim was\n          submitted correctly.\n\n          Recommendation 41\n          We recommend that NALC HBP make the appropriate system modification to prevent\n          near duplicate claims from processing.\n\n          NALC HBP Response:\n          Included in the NALC HBP response to Recommendation 38.\n\n          OIG Reply:\n          As mentioned in the OIG Reply to Recommendation 38, if and when the Plan is able to\n          provide evidence of the end-to-end system of controls, we will perform additional testing\n          as part of a supplemental or follow-up audit.\n\nG. Health Insurance Portability and Accountability Act\n  We reviewed NALC HBP\xe2\x80\x99s efforts to maintain compliance with the security and privacy\n  standards of HIPAA.\n\n  NALC HBP\xe2\x80\x99s HIPAA security and privacy organization consists of a security officer and\n  privacy officer. The Plan developed a series of privacy policies and procedures that address\n  requirements of the HIPAA privacy rule. NALC HBP reviews its HIPAA privacy and security\n  policies annually and updates when necessary. However, all of the elements of the HIPAA\n  security rule have not been implemented. The areas within the security rule that need to be\n  improved have been discussed in the sections above. By implementing those recommendations,\n  NALC HBP will be in compliance with the HIPAA security rule.\n\n\n\n\n                                                  35\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                     , Chief\n\xe2\x80\xa2                   , Auditor-In-Charge\n\xe2\x80\xa2               , Lead IT Auditor\n\xe2\x80\xa2                        , IT Auditor\n\xe2\x80\xa2                           , IT Auditor\n\n\n\n\n                                              36\n\x0c                                         Appendix I\n\n\n                                          July 29, 2013\n\n\n\nMEMORANDUM FOR ELAINE KAPLAN\n               Acting Director\n\nFROM:                    PATRICK E. McFARLAND\n                         Inspector General\n\nSUBJECT:                 Flash Audit Alert \xe2\x80\x93 Information Security at the National Association of\n                         Letter Carriers Health Benefit Plan (NALC HBP)\n\nThe U.S. Office of Personnel Management (OPM) Office of the Inspector General (OIG) is\nissuing this flash audit alert to bring to your immediate attention serious concerns we have\nregarding the National Association of Letter Carriers Health Benefit Plan\xe2\x80\x99s (NALC HBP) ability\nto adequately secure sensitive Federal data.\n\nNALC HBP is a participating carrier in the Federal Employees Health Benefits Program\n(FEHBP) and processes health insurance claims for FEHBP members and their dependents. This\ncompany therefore manages highly sensitive data such as personally identifiable information and\npersonal health information.\n\nWe are currently in the fieldwork phase of an information technology (IT) audit at NALC HBP,\nand have determined that this organization has a very limited information security program. One\nprimary concern is the fact that NALC HBP has not developed comprehensive IT security\npolicies and procedures. IT policies and procedures are the critical foundation of a strong\ninformation security program, as these documents provide guidance on how IT security should\nbe managed at a specific organization.\n\nWe also conducted vulnerability scans of NALC HBP\xe2\x80\x99s network server environment, and\ndiscovered critical vulnerabilities that could be easily exploited by a malicious attacker. These\nweaknesses include, but are not limited to: insecure server configurations, outdated and\nunnecessary software installations, and missing vendor security patches and hot fixes.\n\nIn addition to these two primary concerns, we detected the following serious or critical\nweaknesses in NALC HBP\xe2\x80\x99s information security program:\n\n   \xe2\x80\xa2   A lack of IT security training for employees;\n   \xe2\x80\xa2   Weak physical access controls to facilities and sensitive computing resources;\n   \xe2\x80\xa2   No formal system development life cycle methodology;\n   \xe2\x80\xa2   Weak system authentication requirements;\n\x0cElaine Kaplan                                                                                        2\n\n\n      \xe2\x80\xa2    Under-developed business continuity and disaster recovery strategies; and,\n      \xe2\x80\xa2    Inadequate management of system software configuration.\n\nMost, if not all, of these findings are a direct violation of the Health Insurance Portability and\nAccountability Act (HIPAA) Security Rule.\n\nWe plan to issue a full IT audit report (Audit of Information System General & Application\nControls at NALC HBP, Report No. 1B-32-00-13-037) that will contain many specific audit\nrecommendations to improve IT security at NALC HBP. However, this report will not be issued\nuntil fiscal year 2014, and we are therefore immediately issuing the following recommendations\nso that NALC can begin taking steps to address the most serious weaknesses.\n\nRecommendation 1\nWe recommend that NALC HBP develop comprehensive IT security policies and procedures.\nAt a minimum, NALC HBP should implement policies and procedures related to the following\ntopics:\n\n\xe2\x80\xa2     Risk Assessments                               \xe2\x80\xa2   Password Requirements\n\xe2\x80\xa2     Contingency Planning and Testing               \xe2\x80\xa2   Vulnerability Scanning\n\xe2\x80\xa2     Security Awareness Training                    \xe2\x80\xa2   Server Configuration Management,\n\xe2\x80\xa2     Employee Termination                               Baseline Configurations, and Auditing\n\xe2\x80\xa2     Physical Access Controls                           Server Configuration\n\xe2\x80\xa2     Auditing/Monitoring User and                   \xe2\x80\xa2   System Development Lifecycle\n      Administrator Activity                         \xe2\x80\xa2   Firewall Management\n\xe2\x80\xa2     Appropriate Use of Software                    \xe2\x80\xa2   Web and E-mail Filtering\n\xe2\x80\xa2     Segregation of Duties                          \xe2\x80\xa2   Wireless Network Access\n\xe2\x80\xa2     Security Incident Response                     \xe2\x80\xa2   Control of Removable Media\n\nRecommendation 2\nWe recommend that NALC HBP make the appropriate changes to its computer servers in order\nto address the critical weaknesses identified in the vulnerability scans.\n\nIf you have any questions about this flash audit alert you can contact me at 606-1200, or your\nstaff may wish to contact Michael R. Esser, Assistant Inspector General for Audits, at 606-2143.\n\n\ncc:       Elizabeth A. Montoya\n          Chief of Staff\n\n          John O\xe2\x80\x99Brien\n          Director, Healthcare and Insurance\n\n          Shirley R. Patterson\n          Assistant Director for Federal Employee Insurance Operations\n\x0cElaine Kaplan                                                3\n\n\n\n     Associate Director, Merit System Audit and Compliance\n\n\n     Director, Internal Oversight & Compliance\n\x0c                                                      Appendix II\n                       NA TI O N AL ASSOCIAT I ON OF LETTE R S CA RRI E R S\n\n                       HEALTH BENEFIT PLAN \n\n                20547 Waverly Cotut, Ashbtun, Vit\xc2\xb7ginia 20149 \xe2\x80\xa2 (703)729-4677 or 1-888-636-NALC (6252)\n                             Fredric V. Rolando, President \xe2\x80\xa2 Brian E. Hellman, Dit\xc2\xb7ector\n\n\n\n\nJanuary 31 , 2014\n\n\n\n-arge\nInformation Systems Aud its Group\nUnited States Office of Personnel Management\nOffice of the Inspector General\n\nDear\n\nEnclosed please f ind the NALC Health Benefit Plan\'s comments and responses to the draft\nreport detailing the results of the aud it of general and appl ication controls over the information\nsystems, conducted at our offices by the Office of the Inspector General at the U.S. Office of\nPersonnel Management (OPM).\n\nIn general , our comments and responses align to specific recommendations made in the draft\nreport. However, w ith respect to the sections addressing Contingency Plann ing and Claims\nAdjudicat ion , our comments respond to the general findings and are organized under a single\nheading. Where references are made to supporting documentation , we have included those\nas separate attachments in either MS Word or Excel format.\n\n                            uestions, please feel free to contact me at                                  or-\n\n\n\n\nNALC Health Benefit Plan\n\n\ncc:\n\n\n\n\n                                                         Board ofTrustees \n\n\n                                   Randall L Keller   Lawrence D Brown, Jr , Ch   Micbael J Gill \n\n\x0cRecommendation 1 (from Flash Audit Alert issued July 29, 2013)\nWe recommend that NALC HBP develop comprehensive IT security policies and procedures.\nAt a minimum, NALC HBP should implement policies and procedures related to the\nfollowing topics:\n\n\xef\x82\xb7   Risk Assessments                               \xef\x82\xb7   Password Requirements\n\xef\x82\xb7   Contingency Planning and Testing               \xef\x82\xb7   Vulnerability Scanning\n\xef\x82\xb7   Security Awareness Training                    \xef\x82\xb7   Server Configuration Management,\n\xef\x82\xb7   Employee Termination                               Baseline Configurations, and Auditing\n\xef\x82\xb7   Physical Access Controls                           Server Configuration\n\xef\x82\xb7   Auditing/Monitoring User and                   \xef\x82\xb7   System Development Lifecycle\n    Administrator Activity                         \xef\x82\xb7   Firewall Management\n\xef\x82\xb7   Appropriate Use of Software                    \xef\x82\xb7   Web and E-mail Filtering\n\xef\x82\xb7   Segregation of Duties                          \xef\x82\xb7   Wireless Network Access\n\xef\x82\xb7   Security Incident Response                     \xef\x82\xb7   Control of Removable Media\n\nNALC HBP Response:\nThe NALC HBP has developed and adopted the attached Information Security Policies and\nProcedures.\n\nRecommendation 2\nWe recommend that NALC HBP implement a process to routinely review and update its IT\nsecurity policies.\n\nNALC HBP Response:\nThe NALC HBP has established an Information Security Management Committee.\n\nThe committee members are: NALC HBP Director, the NALC HBP Administrator, the Human\nResources Manager, the Facilities Manager, the Information Systems Manager, the Claims\nSuperintendent, the HIPAA Security Officer and the HIPAA Privacy Official.\n\nThe committee, in conjunction with members of the Information Systems Department staff and\nrepresentatives from the Administrative and Claims departments, have been integral in\nformulating the newly established policies. The committee will meet annually prior to the\nscheduled risk assessment to review and update IT security policies.\n\nPolicies will be addressed accordingly if circumstances dictate a review and update prior to the\nscheduled event.\n\nThe NALC HBP policy is now formally documented in IS-01 Information Security Program\nPolicy on Policies and will be effective on February 1, 2014.\n\n\nRecommendation 3\nWe recommend that as part of its efforts to obtain compliance with the HIPAA security rule,\nNALC HBP implement a security awareness training program for its employees. For\n\x0cguidance in creating a secmity awareness program see NIST SP 800-50. The program should \n\nbe managed by the secmity management stm cture. \n\n\nNALC HBP Response: \n\nThe NALC HBP is in the process of creating a security awareness program based\nnn11u\xc2\xb7\xe2\x80\xa2\xc2\xb7~" in con unction with outside resources.           we have contacted \n\n                         ....,,"\'\xe2\x80\xa2..,..,.,, " their                        educational \n\n                                                       ,...,.,..,,.,\xe2\x80\xa2\xe2\x80\xa2u .. of the appropriate nl"<ll.rlllir-1" \n\n\n\n\n\nWe are anticipating an April2014 launch for our security awareness training program for all\nemployees and will update our new employee educational material to address the security\nrequirements.\n\nRecommendation 4\nWe recommend that NALC HBP develop and implement a training program for employees\nwith IT secmity responsibilities. The program should include:\n\xe2\x80\xa2\t   A process to identify and categorize positions with secmity responsibilities;\n\xe2\x80\xa2\t   Development of specialized secmity training requirements within job descriptions,\n\xe2\x80\xa2\t   Opportunities to seek and maintain technical ce1tifications;\n\xe2\x80\xa2\t   Documentation of training completed by each employee; and\n\xe2\x80\xa2\t   A periodic review of employee records to ensme that specialized secmity training is\n     completed in accordance with standards.\n\nNALC HBP Response: \n\nThe NALC HBP is reviewing outside sources for purposes of establishing specialized training for \n\nemployees with IT security              which will include the bulleted items above. The\nsources contacted to date are\n\nThe NALC HBP has always encouraged and has a documented history of allowing our \n\nemployees opportunities to seek and maintain technical certifications. \n\n\nRecommendation 5 \n\nWe recommend that NALC HBP develop and implement a risk management policy and a risk \n\nassessment methodology. NIST SP 800-30 serves as an excellent reference to assist NALC \n\nHBP with the development of its risk management program. Implementation of the suggested \n\nframework would also help NALC HBP obtain complian ce with the HIPAA Security Rule. \n\n\nNALC HBP Response: \n\nThe NALC HBP policy is now formally documented in IS-19 IT Risk Management Policy and \n\nwill be effective on February 1, 2014. \n\n\n Recommendation 6 \n\n We recommend that NALC HBP implement a password policy that closely reflects industry \n\n standards. \n\n\x0cNALC HBP Response: \n\nThe NALC HBP policy is now formally documented in IS-05 Account Management Policy and \n\nwill be effective on February 1, 2014. We believe the policy provides appropriate safeguards in \n\nlight of NALC HBP\'s business needs. \n\n\nRecommendation 7\nWe recommend that NALC HBP address its -         and                                   password\nsetting weaknesses once a standard passworJPclicY has\norganization.\n\nNALC HBP Response: \n\nThe NALC HBP policy is now formally documented in IS-05 Account Management Policy and \n\nwill be effective on February 1, 2014. \n\n\nRecommendation 8 \n\nWe recommend that NALC HBP establish unique user accounts for each privileged user.\n\nNALC HBP Response:\nThe NALC HBP has created unique user accounts for privileged users. At present, three\nInformation Systems staff senior managers have unique privileged accounts on the network and\non the~e Network Administrator has a unique privileged account on the network but\nnot on~ The Programming Staff members have a lesser set of privileges on t h e \xc2\xad\nthan the senior managers but no special network privileges. The Operations staff has a unique\nset of privileges on t h e - that are different than the programming staff and lesser than the\nsenior managers and have a unique set of privileges on the network that are lesser than the\nsenior managers.\n\nThe NALC HBP policy is now formally documented in IS-04 Access Control Policy and will be\neffective on February 1, 2014.\n\nRecommendation 9\nWe recommend that NALC HBP implement a process to routinely review privileged user\nactivities.\n\nNALC HBP Response:\nWe have contracted with a third-party to provide an appliance and application that will allow\nthem to monitor account activity on our behalf. This will provide real-time alerts based upon\nthe sensitivity settings and will allow immediate review as required. A full review will be\nconducted weekly by internal and/or the third party sources.\n\nThe NALC HBP policy is now formally documented in IS-18 Monitoring and Log Management\nPolicy.\n\nIt is expected that this process will be in place by February or March 2014.\n\x0cRecommendation 10\nWe recommend that NALC HBP implement a process to review logical access to all of its\nsystems and supporting applications to ensure that no terminated individuals retain access.\n\nNALC HBP Response:\nA list of all active employees will be forwarded to the Information Systems Department by the\nHuman Resources department on a                 basis. The Information Systems Department will\ncompare the list against active network accounts and active          accounts for accuracy.\nAccounts will be adjusted accordingly.\n\nDocumentation of the review will be retained in the Human Resources Department.\n\nThe NALC HBP policy is now formally documented in IS-04 Access Control Policy and will be\neffective on February 1, 2014.\n\nRecommendation 11\nWe recommend that NALC HBP implement a process to review appropriate level of access\nfor active user accounts for all applications used to gain access to sensitive data.\n\nNALC HBP Response:\n\nThe Information Systems Department will conduct \n               review of all network accounts\nfor appropriate levels of access. The NALC HBP is assessing a monitoring tool from\nfor       accounts to ensure appropriate levels of access. The Information Systems\nDepartment will compare the list against active network accounts and active          accounts\nfor accuracy. Accounts will be adjusted accordingly.\n\nThe NALC HBP policy is now formally documented in IS-04 Access Control Policy and will be\neffective on February 1, 2014.\n\nRecommendation 12\nWe recommend that NALC HBP improve the physical access controls at its data center. At a\nminimum the computer room entrance should require multi-factor authentication and\npiggybacking controls at both entrances.\n\nNALC HBP Response:\n\nThe NALC HBP is in agreement and is soliciting proposals from qualified vendors to augment \n\nthe current physical access controls at its data center to include multi-factor authentication and \n\nalarm-based anti-piggyback controls at both entrances.\n\n\nRecommendation 13\nWe recommend that NALC HBP implement a process for routinely auditing all active access\ncards to ensure that they are not assigned to terminated employees.\n\nNALC HBP Response:\nA list of all active access cards will be forwarded by the facilities manager on            basis\nto Human Resources to ensure\n\x0c    \xef\x82\xb7 Cards are issued to active employees only\n    \xef\x82\xb7 Access level is appropriate for duties\n    \xef\x82\xb7 Card number corresponds with ID number\n\nThe review of active access cards will be conducted by the Human Resources Department staff\nand a log of the event review will be maintained in that department.\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security Policy\nand will be effective on February 1, 2014. These are also reflected in HR Policies and\nProcedures Manual.\n\nRecommendation 14\nWe recommend that NALC HBP implement a process to routinely recertify that employees\nwith specialized access still require specialized access. If no specialized access is required,\nthen the access level should be adjusted accordingly.\n\nNALC HBP Response:\n\nA list of all specialized Access Cards will be forwarded on a       basis to the \n\nAdministrative Office for review or more frequently as changes become necessary. Upon \n\nreview, specialized access will be adjusted accordingly. \n\n\nDocumentation of the review will be retained in the Human Resources Department.\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security Policy\nand will be effective on February 1, 2014. These are also reflected in HR Policies and\nProcedures Manual.\n\nRecommendation 15\nWe recommend that NALC HBP implement a process to automatically disable temporary\naccess badges.\n\nNALC HBP Response:\n\nTemporary cards are activated upon request from Human Resources when an employee forgets \n\ntheir permanent access badge. Our current system is unable to deactivate automatically. An \n\nRFI is being solicited for upgrade/replacement of Access System. \n\n\nIn the interim, temporary cards are deactivated                                      .\n\nThe NALC HBP policy is now formally documented in IS-12 Physical Access Security Policy\nand will be effective on February 1, 2014. These are also reflected in HR Policies and\nProcedures Manual.\n\nRecommendation 16\nWe recommend that NALC HBP reassess the physical access controls at its facility and\nimplement controls that will ensure proper physical security. At a minimum, NALC HBP\nshould implement a piggybacking control at the two main entrances to the facility.\n\x0cNALC HBP Response: \n\nThe NALC HBP acknowledges the concern and has been actively investigating potential \n\nsolutions to address the piggybacking issue highlighted by the OIG. While similar in nature to \n\nthe concern raised with respect to the data center controls, we have determined the approach \n\nmust be different due to the higher volume of employees passing through these entrances, and \n\nmay involve the use of a turnstile or similar system. Any modification of the two main entrances \n\nof this nature must also be fully ADA compliant, will require building owner authorization and \n\nthe appropriate building code permits. \n\n\nRecommepdatiop 17 \n\nWe recommend that NALC HBP develop and implement incident response policies and \n\nprocedmes in accordance with NIST SP 800-53 Revision 4, IR-1 , Incident Response Policy \n\nand Procedmes. \n\n\nNALC HBP Respopse; \n\nThe NALC HBP policy is now formally documented in IS-15 Incident Management Policy and \n\nwill be effective on February 1, 2014. \n\n\nRecommepdatiop 18 \n\nWe recommend that NALC HBP implement a process to routinely conduct vulnerability \n\nscan ing on the entire network environment and remediate vulnerabilities detected dming \n\nscans in a timely manner. \n\n\nNALC HBP Respopse; \n\n\n\n\n-\nThe NALC HBP has deployed a vulnerability scanning product f r o m - known as \n\n\n\nThe product proactively scans our environment for misconfigurations, vulnerabilities and\nmalware and provides guidance for mitigating risk.\n\n                             scan is performed\n                              . A manual scan\n                                 Due to the ""u. ....\n                                scan in the event of an issue.\n\nDiscovered vulnerabilities are reviewed a d placed into the following 5 categories:\n\n\n\n\nVulnerabilities are remediated in a timely manner according to their level of criticality.\n\nA vulnerability trend report sho,ving progress of the remediation process is emailed to\nappropriate staff on a monthly basis.\n\x0cTht N\'ALC HBP poliry is now formally dorumtntrd in IS-10 Malicious Softwarr Managtmrnt\nPollry and wtll bt dftrtivr on Frbruaa1\xc2\xb7 1, 2014.\n\nRecommepdatiop 19\nWe recommend that NALC HBP implement procedures and controls to ensure that\nproduction servers are updated with appropriate patches, service packs, and hotfixes on a\ntimely basis.\n\n\n                                  in ordrr to address this fmding.\n\nSrrvirt parks,                                            and routintly ustd Jrd party\nsoftwal\'t\' such                                                 on tht following srhrdult:\n\n\n\n\nRecommepdatjop 20 (from Flash Audjt Alert jssued .July 29, 2013>\nWe reconnnend that NALC HBP make the appropriate changes to its computer servers in\norder to address the critical weaknesses identified in the vulnerability scans performed dming\nthis audit.\n\nNoncurrent software\nTI1e results of the vulnerability scans indicated that several servers contained noncurrent\nsoftware applications that were no longer supported by the vendors and have known security\nvulnerabilities.\n\nFISCAM states that \'\'Procedures should ensure that only cuuent software releases are\ninstalled in information systems. Nonctment software may be vulnerable to malicious code\nsuch as viruses and worms."\n\nFailure to promptly remove outdated software increases the risk ofa successful malicious\nattack on the infonnation system.\n\nNALC HBP Resnopse;\n        wr,aklllrssrs disrovrrrd dUI1ng thr audit wrrr addrrssrd and rrmrdird\n                                 br addrrssrd as part of a largrr\n                                tlmr. Additionally thr NALC\n-   nrrds to br rrplarrd for thr rrasons ritrd above. It is txptrttd that tht                will\n~laced by the end of lsr quarttr 2014.\n\x0cRecommendatjon 21\n\nWe recommend that NALC HBP implement a process to ensure that only current and\nsupported versions of system software are installed on the production servers.\n\nNALC HBP Response:\nProduction servus will only have software installed that is deemed necessary for the role and\nmanagement of the server. Application software Is kept current by updating to the latest\nversion as we are notified by the manufacturer. Unnrcrssary software ins~-vus Is\nrrmoved whrn disronnd In the                     or     o bring noticed i n - - or\n- \xc2\xad              reports.                                     softwarr will automatically update\noprratiug systrm and           necessary                           - \xc2\xad\n\n.~ audit of the servus will be performed by the Information Systems Department to\nrhrrk for outdated and unnecessary software.\n\nThe NALC HBP policy Is now formally documented In IS-11 Network Security Management\nPolley and will be effective on February 1, 2014.\n\nRecommepdatiop 22\nWe recommend that NALC HBP implement a control to prevent unauthorized devices from\nconnecting to the internal network environment.\n\nNALC HBP Response: \n\nA nrw firewall was deployed at the NALC HBP on January 24, 2014. The technician that \n\nInstalled the device bas Indicated that our firewall Is capable of performing this set-vice. It Is \n\nexpected that this service will be Implemented In February 2014. \n\n\nRetommendatjon 23 \n\nWe recommend that NALC HBP document formal firewall management policies.\n\nNALC HBP Respopse: \n\nThe NALC HBP policy Is now formally dotumrnted In IS-11 Network Security Management \n\nPolley and will be effective on Februny 1, 2014. \n\n\nBasrllne configurations are being established as part oftbe Implementation and training \n\nprocess for the nrw firewall. \n\n\nRecommepdatjop 24 \n\nWe recommend that NALC HBP implement a process to conduct routine configuration\ncompliance reviews on its network fuewalls.\n\nNALC HBP Respome; \n\nAs part of the new firewall Implementation process, the technician puforming the Installation \n\nwill assist In establishing cooftgu1\xc2\xb7atiou compliance review methodology. \n\n\x0cRecommendation 25\nWe recommend that NALC HBP develop corporate configuration management policies and\nprocedures in accordance with NIST SP 800-53 Revision 4 guidelines.\n\nNALC HBP Resoonse;\nThe NALC HBP is in the process of documenting our configuration management policies and\nprocedures in accordance with the NIST guidelines. As this requires research across many\nplatforms and operating systems, the process has required more research and planning than we\nhad anticipated. We are soliciting outside resources and reviewing compliance and monitoring\nproducts for the-side of our environment and are rese~nited States Government\nBaseline Configuration -National Checklist Program for o u r - - policies and procedures.\n\nWe are targeting the second quarter 2014 for having management policies fully formed.\n\nRecommendatjon 26\nWe recommend that NALC HBP document approved baseline configurations for all\noperating platforms.\n\nNALC HBP Respopse;\nThe NALCHBP has completed                                   Assessment through a . - focused\nthird party company known as                  as a first step toward establishing baseline\nconfigurations on that platform.               establishing a test partition of our production\nenvironment to assess the business impact of implementing the baseline configurations. Our IT\nstaff is in the process of creating a test network environment in order to create a baseline\n-environment based upon United States Government Baseline Configuration\xc2\xad\nNational Checklist Program recommendations.\n\nRecommepdatjop 27\nWe recommend that NALC HBP implement a process to routinely audit network servers\'\nsecurity configurations settings to ensure they are in compliance with the approved\nconfiguration baselines.\n\nNALC HBP Response;\nThe NALC HBP has entered into a contract with a third party known as                         to\nacquire an application that will monitor for assurance that security\nmaintained according to established baselines.\n\nThe NALC HBP has recently reviewed an application from                      will provide similar\ncapabilities for monitoring th~ A determination w                   rell\xe2\x80\xa2ar.run\'v acquiring this\napplication after product quotes are received.\n\nRecommepdatiop 28\nWe recommend that NALC implement formal system software change control policies and\nprocedures in accordance with NIST SP 800-53, CM-3 Configuration Change Control, to\nensure that changes are approved, documented, recorded, reviewed, audited, and given\noversight.\n\x0cNALC HBP Response:\nThe NALC HBP has not the resources currently to institute this recommendation but will be\ncreating a testing environment for the      and a test network toward building a compliance\nplatform. Configuration change control procedures will follow after baselines are established.\nChange Management Policy will be adjusted accordingly as the project unfolds. In the\nmeantime, changes will be reviewed documented and approved according to current\nprocedures.\n\nRecommendation 29\nWe recommend that NALC HBP make the appropriate system changes to ensure that all\nsystems require complex passwords that comply with the corporate policy.\n\nNALC HBP Response:\nThe NALC HBP policy is now formally documented in IS-05 Account Management Policy and\nwill be effective on February 1, 2014.\n\nRecommendation 30\nWe recommend that NALC HBP conduct a business impact analysis in accordance with\nNIST 800-34 Revision 1.\n\nNALC HBP Response for Recommendations 30-36 (also see individual recommendations\nfor specific responses):\nThe NALC HBP agrees generally with the OIG\xe2\x80\x99s overall assessment of the Plan\xe2\x80\x99s contingency\nplanning program. Prior to the commencement of the OIG\xe2\x80\x99s audit of general and application\ncontrols, the Plan sought its own independent assessment of its disaster recovery and business\ncontinuity capabilities, which included the aforementioned draft business impact analysis.\nSenior management, upon reviewing the unfinalized draft report, chose to move aggressively to\nmitigate what it saw as the most critical weaknesses including the back-up data capabilities.\nManagement remains committed to an aggressive mitigation strategy and a complete redesign\nof its contingency planning program, which will address all of the weaknesses identified by the\nOIG, including most significantly, the Plan\xe2\x80\x99s data back-up and alternate work site capabilities.\nPlan documentation and testing will follow accordingly in compliance with NIST and/or other\nbest practices. At this time, while management has sought proposals for on-site back-up power\ngeneration, we feel other elements of the overall contingency plan redesign may obviate the\nneed for this recommendation.\n\nWith respect to OIG\xe2\x80\x99s comment that the NALC HBP does not routinely perform emergency\nresponse training, we wish to clarify that while it is our intent to revisit and improve all areas of\nour contingency planning including emergency response training, the Plan does in fact\nroutinely arrange for the members of its volunteer AED staff to recertify their CPR training.\n\nRecommendation 31\nWe recommend that NALC HBP fully implement the data backup capabilities at the NALC\nheadquarters building.\n\x0c~ALC HBP Response:\nIn August of 2013 the NALC HBP conducted a major infrastnctural upgrade to our IT\nenvironment in order to facUitate off-site data replication. A simUar environment was\nconstructed in October 2013 at our data exchange partner location, the National Association of\nLetter Carriers (NALC) Headquai1ers in Washington DC.\n\n\n\n\nlocation.\n\nHowever, both sites encoUIItered a problem with                               during\ninstallation. The problem proved to be an obscun one    twas               resolved on January\n17,2014. The project could not entirely move fonvard until the issue was settled. In the iutei1m,\nthe NALC HBP IT staff att~ training sessions for t h e - - \xc2\xad\nNovember 2013 and for t h e - - elements of the solution ~13.\n\nAdditionally in December 20                        completed a conftgnration evaluation,\nfirmware updates to relevant devices, and established network storage areas at this facility and\nat NALC HQ for purposes of replication. The technician will be returning in February 2014 to\ncomplete the training and begin implementation.\n\nT h e - - server farm was established in Novembe\xe2\x80\xa2\xc2\xb7 2013 l.Jut this po11ion of the p\xe2\x80\xa2\xc2\xb7oject was\nalso~ hold until t h e . issue was resolnd.- training will be hands-on as the\nproject unfolds.\n\nIt is anticipated that nplication will be functioning fnlly in the March 2014 ttmeframe.\n\nRecommendation 32\nWe recommend that NALC HBP create a plan that establishes an alternate work site and\nallows for critical business operations to continue if the main facility is not accessible.\n\nNAI~C HBP Response: \n\nIncluded in NALC HBP Response to Recommendation 30 and 31 \n\n\nRecommendation 33\nWe recommend that NALC HBP install a power generator that can maintain data center\noperations in the event of a power loss.\n\nNAI~C HBP Response; \n\nIncluded in NALC HBP Response to Recommendation 30 and 31 \n\n\nRecommendation 34\nWe recommend that NALC HBP update its Disaster Recovery Manual in accordance with\nNIST SP 800-34 Revision 1.\n\x0cIncluded in NALC HBP Response to Recommendation 30 and 31\n\nRecommendation 35\nWe recommend that NALC HBP routinely test its contingency plan and incorporate the\nresults into the contingency plan.\n\nNALC HBP Response:\nIncluded in NALC HBP Response to Recommendation 30 and 31\n\nRecommendation 36\nWe recommend that NALC HBP provide periodic emergency response training to\nindividuals with emergency response responsibilities.\n\nNALC HBP Response:\nIncluded in NALC HBP Response to Recommendation 30 and 31\n\nRecommendation 37\nWe recommend that NALC HBP implement a formal SDLC methodology, which defines\nresponsibilities for each employee within the change control process. This process should\nrequire standardized documentation for all steps of the change control process.\n\nNALC HBP Response:\nThe NALC HBP policy is now formally documented in IS-30 System Development Lifecycle\nPolicy and will be effective on February 1, 2014.\n\nRecommendation 38\nWe recommend that NALC HBP make the appropriate system modifications to prevent\nmedically inconsistent claims from being processed.\n\nNALC HBP Response for Recommendations 38-41:\nThe original application control testing that was conducted on the Plan\xe2\x80\x99s claim system did not\ninclude all the processes that the Plan employs to adjudicate a claim, i.e., it was not conducted\nas an end-to-end test, but focused exclusively on the claim system. The attached spreadsheet\n(OIG Test Claims) lists the claims scenarios and includes comments from the Plan and Cigna\nwhich take into account our end-to-end claims process.\n\nIn addition, the Plan performs post-payment audits daily to ensure that claims are being\nadjudicated correctly. The audits performed by our internal Audit Department are described\nbelow.\n\nThe Audit department handles auditing of different types of claims that are processed by\nkeyers, analysts, and the system. They detect errors in claims processed by any of these three\nsources. Each Audit analyst is assigned a unique identification number when auditing claims.\nThe following are the types of audits that are performed on a daily basis:\n\x0c\xe2\x80\xa2\n\n\n\n\n\nOn a rotating basis, the Audit department checks work done by employees in training and \n\nrefresher classes. All analysts involved in the claims payment process have their work audited \n\nonce every six months. Supervisors may request audits be done on their analysts if they feel \n\nthey having trouble in a particular area. \n\nWhile we believe that the process as a whole provides sufficient protections against the \n\ninappropriate payment of claims. In addition, the Plan is actively investigating the purchase of \n\na clinically based claims audit program that applies edits to claims during the adjudication \n\nprocess as a further level of protection. \n\n\nRecommepdatiop 39 \n\nWe recommend that NALC HBP make th e appropriate system modifications to enforce \n\nproper procedme code billing guidelines. \n\n\nNALC HBP Response: \n\nIncluded in NALC HBP Response to Recommendation 38 \n\n\nRecommepdatiop 40 \n\nWe recommend that NALC HBP make the appropriate system modifications to ensme that \n\nclaims are not paid for duplicate room and board charges. \n\n\nNALC HBP Response: \n\nIncluded in NALC HBP Response to Recommendation 38 \n\n\nRecommepdatiop 41 \n\nWe recommend that NALC HBP make th e appropriate system modification to prevent near \n\nduplicate claims from processing. \n\n\nNALC HBP Response: \n\nIncluded in NALC HBP Response to Recommendation 38 \n\n\x0c'